The present invention relates generally to the field of digital media signing, and more specifically to verifying digital signatures.
It is common today for application developers to digitally sign the programs they are developing. This practice is known as code signing. Programs that are signed undergo signature verification before being executed by the end-user computing system. The signature verification process enables customers using such a program to be assured that the program has not been altered at a subsequent point after being developed. In other words, the signature verification process ensures that the program is genuine. Programs are only one example of digital media that can be signed and consequentially may require digital signature verification. Media in this context can be any digital data including, but not limited to, audio and video files, legal documents and contracts, and binary program code.
Programs are signed using a signing key-pair. The private half of said key-pair is used to apply the digital signature to the program. The public half, also called the public key, is disseminated with the program to enable the signature to be verified. The code signing (verification) public key is packaged inside a digital certificate. This digital certificate is issued by a certificate authority (CA) and is itself signed by the CA's own signing key-pair. The CA signing public key is packaged inside a different digital certificate that is either issued by another CA or is self-signed. Self-signed certificates are called root certificates, and non-self-signed certificates are called either intermediate certificates or subordinate certificates. Hence, for any code verification public key, there exists a certificate chain, with zero or more subordinate certificates, that connects the verification public key to a root CA. Thus, if the root CA is a known certificate authority that is trusted by the end user, the code verification public key may also be trusted by verifying the signatures on the certificate chain.